A Technical Introduction to the Quantstamp Security Assurance Protocol

At Quantstamp we are interested in smart contract security. Our newly released Betanet is helping to secure contracts in the wild, but we think there is still work to be done.

The Need for Assurance

Existing solutions – the Quantstamp Betanet included – focus largely on pre-deployment security checks. Such checks don’t guarantee that a smart contract cannot be hacked in the future. Once a contract is deployed on mainnet, it may still contain subtle bugs which leave it open to attack; after all, Ethereum contracts are immutable. Automated checks are great, but may contain false positives or false negatives, and while manual white-glove audits are better, they are still subject to human error. Moreover, novel attack vectors present themselves as the technology matures and attackers spend more and more time determining how to exploit weaknesses in a platform.

Providing a sense of assurance for contracts that have been deployed on the mainnet fills a gap in the current smart contract security ecosystem. Assurance of deployed contract correctness has been a goal of Quantstamp since we began on our mission, including as described in the whitepaper. To this end, we’re proud to present the Quantstamp Security Assurance Protocol.

The Quantstamp Security Assurance Protocol

The Quantstamp Security Assurance Protocol aims to allow users, which we will call pool owners (for reasons that will become clear below), of a deployed smart contract to de-risk the potential negative consequences of a security incident. Assurance would be provided by both security experts and non-experts who are incentivized to understand and assure the security, safety, or other performance characteristics of a smart contract.

How it Works

IMPORTANT CAUTION: “How It Works” and the content in this post are provided for informational purposes only and describe our current vision and design aspirations for the Quantstamp Security Assurance Protocol and platform and functionality of QSP tokens. Potential features, functionality, schedules, implementation, testing environments, and/or design architectures are subject to continuing update, modification, cancellation, delay, external dependencies, third-party operators, third-party platforms, evolving regulatory frameworks, and/or factors beyond our control. You are cautioned not to place undue reliance on this information. FOR AVOIDANCE OF DOUBT, THE INFORMATION, PROTOCOL, PLATFORM, AND ACCESS AND/OR USAGE THEREOF, INCLUDING ANY ASSOCIATED SERVICES OR MATERIALS, SHALL NOT BE USED, CONSIDERED, OR RELIED UPON AS ANY MANNER OR FORM OF INVESTMENT, INVESTMENT PURPOSE, VEHICLE WITH AN EXPECTATION TO EARN A PROFIT, OR FINANCIAL, INVESTMENT, TAX, LEGAL, REGULATORY, OR OTHER ADVICE.

A CCR is a Centralized Curated Registry. Quantstamp will maintain a list of security experts.

The Quantstamp Security Assurance Protocol is designed to enable smart contract users (and other pool owners) periodically reward security experts (and other people willing to assure the security and safety of a smart contract in return for compensation) for their skills in assessing the security of contracts that pool owners care about. For the sake of simplicity, we will consider only pool owners who are users of some contract. Similarly for the limited purpose of this illustrative discussion, we will assume everyone who is willing to assure the security and safety of a smart contract is a security expert (or simply, an expert).

In this service marketplace concept, a concerned smart contract user incentivizes security experts to stake collateral through the Quantstamp Security Assurance Protocol. The value of the collateral is determined by the user, who must estimate for themselves the cost of the contract’s failure to operate as expected. For example, if the contract holds a user’s deposit, the user may ask for a collateral whose value is equal to their deposit. If this community stakes such a collateral, the user promises to periodically reward the community, provided the smart contract continues to operate as the user desires. If the contract misbehaves, the experts instead relinquish their staked collateral to the user according to the terms set by the user. This mechanism is intended to compensate the user for the loss of funds or other damage they may suffer from the contract misbehaving.

The Quantstamp Security Assurance Protocol user must provide a suitable definition of the behaviour of the smart contract that they wish to avoid. The Quantstamp Security Assurance Protocol will incentivize security experts to analyze the contract and determine if it will ever operate in an undesirable way, according to the definition provided by the user.

Note that, before deploying a smart contract, users could instead pay for an expensive audit, but this may not be possible or helpful. Simply put, if the audit fee is too high, then they’re out of luck. Instead, the protocol enables an incentive to security experts and community members in the form of a periodic reward distributed over time, which may result in a significantly smaller up-front cost for the user, as in the example below. Even if an audit is affordable, audits usually ask for things not available on the blockchain: test cases and design documents, which users do not generally have access to. Community members may not require these documents to assert that a contract is safe to use.

Example

This is an illustrative example of the latest version of the UI for the Security Assurance Protocol. This UI may change in the future.

Plasma is a framework that can be used by application developers in order to increase transaction throughput. Lukas Schor (of Argon) summarizes it nicely: “Like payment channels in the Bitcoin Lightning Network, Plasma is a technique for conducting off-chain transactions while relying on the underlying Ethereum blockchain to ground its security.” Plasma achieves this functionality via a plasma operator who runs a plasma chain which handles the transactions between plasma participants. Plasma chain block headers are periodically published on the Ethereum network. Users can deposit funds to, or withdraw funds from the plasma chain via a root contract, which is a smart contract on Ethereum.

Users join the plasma chain through the root contract, either directly or through some interface provided by a decentralized application. If the root contract is hacked, users may lose assets.

The current state of specification for the plasma framework is that it is underspecified at worst, or varied and overwhelming at best, plasma contracts are complicated and hard to get right. Naturally, as a mere framework, plasma does not require that a root contract be audited. Given the combination of complex code with the potential storage of assets with significant value, plasma contracts will be an alluring target for attackers.

The users for an application implementing a plasma chain may wish to have some assurance that this undesirable scenario isn’t possible, or that they get some compensation if it occurs. Compensation is desirable because it reduces the potential loss incurred by using a plasma chain that is attacked.

For simplicity, assume that a user U uses some application which uses a plasma chain for which the root contract is R.

User U can use the Quantstamp Security Assurance Protocol to get additional assurance that R will continue to operate as U wants it to operate, even if U is not R: i.e., U is assured that someone else’s smart contract will work correctly. It allows smart contract users to receive assurance that a contract they rely on won’t misbehave, even if they didn’t write the contract themselves. In addition, the Quantstamp Security Assurance Protocol enables a service marketplace for security experts to sell their skills, by assessing the security of contracts that pool owners care about. IMPORTANT CAUTION: While we are continuing to explore design architectures through testing and learning, QSP tokens as currently envisioned in this protocol should be acquired and utilized solely for the purposes of prepaying for and consuming security services and performing the functionality of the associated staking without any reasonable expectation of profit in QSP tokens as an investment vehicle.

User U achieves this as follows: U asks the community to stake a certain amount of QSP through the Quantstamp Security Assurance Protocol. If the community stakes this value, U promises to periodically reward those who participate, provided R continues to operate as U desires. In order for this to be possible, U must provide a suitable definition of the behaviour of R that they wish to avoid. This incentivizes the community to investigate the contract R to determine if R will operate in an undesirable way, according to the definition provided by U. User U sets the terms of compensation in case the community is wrong.

For example, U could ask that the community stake 1,000,000 QSP to claim that R will not have a zero balance (e.g., it has been hacked - since U knows it will always have at least the balance U deposited, provided U has not withdrawn their deposit) for the next 1,500,000 blocks. In turn, U will pay a total of 10,000 QSP every 125,000 blocks (about 28 days, assuming 20 seconds per block), split amongst those who staked their QSP. On the other hand, if R’s account drops to zero, U will be able to claim 1,000,000 QSP from all the stakes made by the community. After 1,500,000 blocks (about 347 days), the payments from U will stop, and the community can reclaim their staked QSP. If there’s no hack and R continues to operate as intended, the community has successfully put their QSP to work.

In the use case above, the user U is a pool owner of R, and community members who stake are called assurance providers. The Quantstamp Security Assurance Protocol allows arbitrary pool owners to ask for a stake by arbitrary assurance providers, and to set their own terms. Pool owners will be free to set the behaviour that is undesirable, the amount they’re willing to pay assurance providers (and the rate at which they do so), and the amount they wish to claim in the event that the undesirable behaviour occurs.

“Undesirable behaviour” will be automatically checked by the Quantstamp Security Assurance Protocol when participants wish to withdraw funds. In short, it’s going to be the result of a function call on a policy contract defined by the pool owner. Since the pool owner will define that contract, it’s going to be a case of “buyer beware” – pool owners may put backdoors in the policy.

In order to mitigate backdoors and malicious policy contracts, the Quantstamp Security Assurance will point to a list of security experts whose lead other assurance providers can follow for questionable policies. The Quantstamp Security Assurance Protocol will point to a Centralized Curated Registry (CCR) which will hold a continuously evolving list of addresses of community members who have demonstrated themselves to be security experts. Security experts who stake that a contract is secure – which is to say, will perform as expected – will gain a larger share of the periodic payment provided by the pool owner. Security experts who stake earlier than others will earn even more; this discourages other experts from simply bandwagoning after another expert who actually checks the contract. Of course, if experts on the CCR stake on insecure contracts, they shouldn’t expect to stay on it for long.

And of course, pool owners will be able to link to an audit report if they have one, to enable assurance providers to make as informed a decision as possible when deciding whether or not to put their QSP on the line.

In short, the Quantstamp Security Assurance Protocol is designed to assure users of a smart contract of its behaviour by asking security experts to stake collateral against the claim that it will misbehave. Assurance could be available even when the user didn’t author the contract. Moreover, the Quantstamp Security Assurance Protocol would allow security experts to put their QSP to good use and receive income for services based on their skills.

The Quantstamp Security Assurance Protocol is in development now after months of research, and we’re aiming to release the first pilot version in the upcoming months.

This post was authored by Blockchain Researcher Jan Gorzny, (Ph.D Candidate) with contributions from Senior Research Engineer Sebastian Banescu, Ph.D.

Quantstamp and MythX are very excited to support EthBerlin this year. If you're participating, come find us at the HelpDesk, your one-stop resource for any security-related inquiries. Need suggestions on more secure code implementations or advice on mitigating certain vulnerabilities? The HelpDesk is available round the clock to offer guidance and assistance throughout the hackathon.

Computer scientists say that a procedure is re-entrant if its execution can be interrupted in the middle, initiated over (re-entered), and both runs can complete without any errors in execution. In the context of Ethereum smart contracts, re-entrancy can lead to serious vulnerabilities.